Extended Definition Mode

When Control‑M submits a job the following checks are made:

1. The user ID specified in the owner field of the job definition is authorized to read the JCL library. The CLASS checked is DATASET; the entity checked is the JCL library name. To allow a user to access a JCL library, use one of the following commands, as appropriate:

   For RACF:

   PERMIT jcl‑library‑name ACC(READ) ID(USERA)

   For TSS:

   TSS PERMIT (USERA) DSN(jcl-library-name) ACC(READ)

   For ACF2/SAF:

   COMP
   $KEY(jcl-library-name)
   UID(USERA) ALLOW

2. If the job statement does not contain parameter USER, or the JCL does not contain a //*JOBFROM statement when ACF2/SAF is in use, parameter USER is added to the job statement and set to owner.

   For RACF security, parameter GROUP is optionally added to the job statement and set to the RACF default group.

   If the USER parameter exists, the user ID or //*JOBFROM value (for ACF2 users) specified is not the same as the owner of the job definition, and parameter MSUBCHK is set to N (No), the job submission is cancelled.

   If the USER parameter exists, the user ID specified is not the same as the owner, and parameter MSUBCHK is set to Y (Yes), the class checked is
   [SURROGAT | ACIDCHK | CMF] and the entity checked is
   cl-userid.SUBMIT | the JCL user ID | $SUBMIT.cl-userid].

   userid is the user ID assigned to the job being submitted.

   For a started task, the CLASS checked is FACILITY. The entity checked is $$STRSTC.qname.stcname

3. To permit USERA to start a started task named SYSMON, use the following command:

   For RACF:

   PERMIT $$STRSTC.qname.SYSMON ACCESS(READ) ID(USERA) CLASS(FACILITY)

   For TopSecret:

   TSS PERMIT(USERA) IBMFAC($$STRSTC.qname.SYSMON) ACC(READ)

   For ACF2/SAF:

   SET RESOURCE(CMF)
   COMP
   $KEY($$STRSTC.qname.STC1) TYPE(CMF)
   UID(USERA) ALLOW